Introduction
As promised, another use-case and example of Proactive Remediations in the new Endpoint Analytics feature in Microsoft Endpoint Manager (Intune).
- New to Endpoint Analytics? Then grab a quick peek at following docs: What is Endpoint analytics (preview)?
In this example, I’m locating all devices, which currently are not making use of Windows Hello for Business, and display its logged on user a Toast Notification to remind them to get started.
If and when any organization is promoting and requiring the use of Windows Hello for Business, you will want to make sure that the users indeed are setting this up – and if not, nag them continuously until done.
- I have previously done something similar with Configuration Manager: Remind users to enroll into Windows Hello for Business using Toast Notifications and ConfigMgr
Proactive Remediations
To get this started, head into the Endpoint analytics space of Microsoft Endpoint Manager:
- Log into the Microsoft Endpoint Manager Admin center: https://endpoint.microsoft.com/
- Browse your way through Reports and Endpoint analytics (preiew)
- Browse to Proactive remediations
- Click + Create script package
Detection Script
The detection script, is the one doing the magic in locating devices not using Windows Hello for Business.
The script is available from my GitHub page: https://github.com/imabdk/Powershell/blob/master/Detect-WindowsHelloEnrollment.ps1
The detection script is going into the Detection script area where it’s mandatory.
Remediation script
- NOTE: It’s not a requirement to be using a Remediation script. If you don’t intend to display the users a toast notification, simply leaving the remediation script blank will work. In this case, you can use the feature for the audit and monitoring possibilities.
The remediation script is my entire Windows 10 Toast Notification Script found here: https://www.imab.dk/windows-10-toast-notification-script/
Proactive Remediations doesn’t support passing parameters to the script, so in order for the Toast Notification Script to work, you will have to hard code the path to the config.xml file.
NOTE: Again, the Toast Notification Script has been modified to now support config.xml files being hosted online. Here, I’m hosting a config.xml in blob storage in Azure:
[string]$Config = “https://krpublicfiles.blob.core.windows.net/toastnotification/config-toast-whfb.xml”
Assignments
Assignments is the last part of setting this up, as well as deciding how often the script will run.
I have a collection in Configuration Manager which is being synced to Microsoft Intune, and I’m running this every hour.
In Action
When everything is properly setup, you will see that the detection script finds devices which is not enrolled in Windows Hello for Business.
On those devices, a Toast Notification is displayed, similar to those toast examples in the beginning of this post.
Taking a closer look on IntuneManagementExtension.log (C:\ProgramData\Microsoft\IntuneManagementExtension\Logs) you will also notice the reason for the Toast Notification to be displayed:
[HS] lastLine of output = [Multiple SIDs]: Not good. PIN credential provider NOT found for LoggedOnUserSID. This indicates that the user is not enrolled into WHfB.
As well as when the Remeditation script is run, the Toast Notification Script writes an output when successfully displayed:
[HS] lastLine of output = All good. Toast notification was displayed
Monitoring
Whether you use this just for the monitoring possibilities, the device status page is quite clear about where to act.
In my example below, all the devices tagged as ‘With Issues’ are having a Toast Notification displayed, telling the logged on user to get going or face consequences.
ENJOY 🙂
Hi Martin,
Thanks for sharing. I am basically looking for a Windows Hello for Business Reporting Tool or PowerShell Script to check the what machines in a domain or in on a specific OU is fully enrolled and those without WHFB.
Without able to report progress is a project execution in the dark and that makes it hard for large enterprise rollout without reporting feature.
I am not
Sorry meant to say i am not an endpoint or config manager guy.
So basically a script that will run against multiple computers for devices that are not enrolled with WHFB and write the output file to cvs.
Hey, I don’t have such exact script, but what I’m doing would be easy to modify and have an output to .csv. I assume you have some sort of way to run scripts on your endpoints? 🙂
Hey, the problem is am finding it difficult to modify and make it to work natively. Need help if you can. Just need to run the simple script from an elevated PS to check the WHFB registry to match with the login user then export output to csv for the compliance, non-compliance or offline PCs.
I’m not able to apply this remediation script to Configuration Manager. Have you tested this with MECM?
I have a similar post I believe, which covers the MECM portion. I think the script is slightly different 🙂
Totally doing this! how would you go about if the XML is not hosted online but locally?
Trying to do similar for prompting a reboot after machines exceed a particular interval. The XML file is web hosted as well are the images. The toast notifications are appearing correctly but the “Restart now” button doesn’t do anything. Any idea what I am missing?
Hey Martin,
Appreciate the work you are doing here, i’ve been fiddling around with your Win10 Toast notification script in intune, for some reason, i’m not able to get it working, my detection script is fairly simple, it’s checking uptime and if it is gr – 2 = 1 else 0
for remediation i’m using your script with the config hard coded to a local directory on the pc, ran it in user context and for some reason it’s not working, any thoughts on the detection script?